Evolution of DRM: streaming services use unencrypted MP3s

The Electronic Frontier Foundation's Fred von Lohman has found that two sites …

For the music industry, DRM might have started out being an antipiracy measure, but these days, it's becoming increasingly clear that it's used by the labels as a way of manipulating the market. The labels have largely prevented Apple from offering DRM-free music via iTunes, apparently because they are concerned with Cupertino's dominance of the download market, but have granted that right to Amazon. Meanwhile, the music licensing company SoundExchange has offered DRM as an escape clause for the increased royalties on Internet streaming; the new fees may be pushing Internet radio companies out of business. Now, word has come out that at least some streaming services are getting away with sending mildly obfuscated MP3s to their users.

The situation is detailed by Fred von Lohman of the Electronic Frontier Foundation. von Lohman has tracked how data is provided by two different streaming services, and found that both of them ship raw, unencrypted MP3 data direct to the user's machine.

One of the sites, imeem, is an ad-supported social media site that, along with hosting blogs and video, streams songs to their registered users. Those songs, which are packaged up in Adobe Flash format, apparently get saved in the operating system's temporary items folder. These files get purged quickly or overwritten by the next song downloaded, but interested users can quickly copy them out before this happens. Extracting the sound portion of a Flash file is not technically challenging, either.

The other site mentioned, Lala, offers a variety of music services, including basic purchases of DRM-free music. But it also offers browser-based streaming of songs for a low fee of $.10—simply pay once, and you can load it up in the bowser whenever you want. Or not. A quick check of network activity shows that it's simply sending raw MP3 data along with some wrappers that compel the browser not to cache it. Getting access to that is probably a bit harder than cracking open a Flash file, but still not exactly rocket science.

These companies have not always gotten along well with the labels, but currently have licenses for everything they stream. This doesn't mean that the record companies necessarily condone this DRM-through-obscurity approach—although von Lohman concludes that they do, and reads this as a sign that streaming DRM is dead. At the least, it suggests that the labels don't care enough to check whether the companies are implementing a significant barrier to piracy.

In either case, it's clear that the labels aren't viewing these relatively low-profile streaming companies as either a major contributor to piracy, or a major strategic threat, so they apparently don't care enough to make sure that DRM is actually being enforced. Which, as we noted at the outset, is another indication that DRM is no longer about piracy, but all about a marketing strategy.